“Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” Those aren’t the words of Apple CEO Tim Cook or some other tech icon. They actually come from guidance issued last year by the Securities and Exchange Commission on cybersecurity.
Naturally, corporations are seeking to harness the power of technology to help their businesses, and much of that technology is connected to the internet. Yet, as the list of corporate hacking fiascos continues to grow, it has become clear that with every advance, companies can be placing themselves at increased risk of cyber intrusions.
Who is supposed to manage that risk, and according to what rules, is a trillion-dollar question that, for public companies, has not been answered with crystal clarity. The SEC issued general guidance on the subject in 2011 and again in 2018; that guidance included a call, in 2018, for improvement in the disclosure of cybersecurity risks. But developing clear-cut rules has been elusive in an area where threats are constantly evolving, and where each data breach features its own unique set of facts. The bottom line: the responsibilities of corporate boards to oversee the cyber-risks their companies face are still coming into focus.
Until that happens, one set of stakeholders is stepping eagerly into the void, hoping to create some rules (or at least exert some influence) of their own. That set of stakeholders is investors, and the tools they are using to wage influence are shareholder proposals. Investors’ attempts to affect how companies combat cyber threats could make shareholder proposals the next big battleground in managing cybersecurity risks.
Shareholders of The Walt Disney Company will consider one such proposal in March at the entertainment Goliath’s annual shareholder meeting in St. Louis. According to Disney’s latest proxy statement, corporate-governance gadfly James McRitchie is proposing that shareholders direct the board of directors to study adding metrics related to cybersecurity and data privacy into the performance measures of the company’s senior executives under their compensation incentive plans.
The Park Foundation Inc., a nonprofit organization headquartered in Ithaca, New York, issued a similar proposal last year to shareholders of telecom giant Verizon Communications Inc. “Verizon has made several policy commitments regarding data privacy and data security,” the proposal stated. “However, there is significant evidence that Verizon has not been successful at implementing those commitments and/or faces significant challenges to doing so.”
The Verizon shareholder proposal was ultimately defeated.
Ironically, one of the biggest challenges in defining appropriate governance policies for cybersecurity is that the risk disclosures desired by some shareholders may put companies at even greater risk. As Steve W. Klemash, Les Brorsen and Charles W. Seets Jr. of the EY Center for Board Matters have noted, decision-makers must weigh the need for disclosure “while keeping potentially sensitive information out of the hands of attackers.”
The tension between demands for transparency and taking care not to harm companies puts shareholders, management teams and corporate boards in a bind. In light of the high stakes combined with a lack of consensus on best practices, it’s easy to see disputes over cybersecurity disclosures getting heated this proxy season.